Restore TCP wrappers support

Support for TCP wrappers was dropped in OpenSSH 6.7. See this message and thread: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html It is true that this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. Forwarded: not-needed Last-Update: 2019-06-05 Patch-Name: restore-tcp-wrappers.patch
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:22:41 +0100
committer: Colin Watson <cjwatson@debian.org> 2020-06-07 10:25:35 +0100
commit: 7e3de67f8447064d6963e8299653d8e01baaef1e (patch)
tree: b2aa054e6456e1fcdab14ae304694f99061c85d8 /sshd.c
parent: 79f9d21b406c172878896ef41cdc2502fc2f84a7 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/sshd.c b/sshd.c
index 02fca5c28..e96d90809 100644
--- a/sshd.c
+++ b/sshd.c
@@ -124,6 +124,13 @@
 #include "ssherr.h"
 #include "sk-api.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -2132,6 +2139,24 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
        audit_connection_from(remote_ip, remote_port);
 #endif
+#ifdef LIBWRAP
+        allow_severity = options.log_facility|LOG_INFO;
+        deny_severity = options.log_facility|LOG_WARNING;
+        /* Check whether logins are denied from this host. */
+        if (ssh_packet_connection_is_on_socket(ssh)) {
+                struct request_info req;
+                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+                fromhost(&req);
+                if (!hosts_access(&req)) {
+                        debug("Connection refused by tcp wrapper");
+                        refuse(&req);
+                        /* NOTREACHED */
+                        fatal("libwrap refuse returns");
+                }
+        }
+#endif /* LIBWRAP */
        rdomain = ssh_packet_rdomain_in(ssh);
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:22:41 +0100
committer	Colin Watson <cjwatson@debian.org>	2020-06-07 10:25:35 +0100
commit	7e3de67f8447064d6963e8299653d8e01baaef1e (patch)
tree	b2aa054e6456e1fcdab14ae304694f99061c85d8 /sshd.c
parent	79f9d21b406c172878896ef41cdc2502fc2f84a7 (diff)

diff --git a/sshd.c b/sshd.c index 02fca5c28..e96d90809 100644 --- a/sshd.c +++ b/sshd.c
@@ -124,6 +124,13 @@
124	#include "ssherr.h"	124	#include "ssherr.h"
125	#include "sk-api.h"	125	#include "sk-api.h"
126		126
		127	#ifdef LIBWRAP
		128	#include <tcpd.h>
		129	#include <syslog.h>
		130	int allow_severity;
		131	int deny_severity;
		132	#endif /* LIBWRAP */
		133
127	/* Re-exec fds */	134	/* Re-exec fds */
128	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)	135	#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
129	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)	136	#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2132,6 +2139,24 @@ main(int ac, char **av)
2132	#ifdef SSH_AUDIT_EVENTS	2139	#ifdef SSH_AUDIT_EVENTS
2133	audit_connection_from(remote_ip, remote_port);	2140	audit_connection_from(remote_ip, remote_port);
2134	#endif	2141	#endif
		2142	#ifdef LIBWRAP
		2143	allow_severity = options.log_facility\|LOG_INFO;
		2144	deny_severity = options.log_facility\|LOG_WARNING;
		2145	/* Check whether logins are denied from this host. */
		2146	if (ssh_packet_connection_is_on_socket(ssh)) {
		2147	struct request_info req;
		2148
		2149	request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
		2150	fromhost(&req);
		2151
		2152	if (!hosts_access(&req)) {
		2153	debug("Connection refused by tcp wrapper");
		2154	refuse(&req);
		2155	/* NOTREACHED */
		2156	fatal("libwrap refuse returns");
		2157	}
		2158	}
		2159	#endif /* LIBWRAP */
2135		2160
2136	rdomain = ssh_packet_rdomain_in(ssh);	2161	rdomain = ssh_packet_rdomain_in(ssh);
2137		2162